-
-
GetThreadContext调用后无效
-
发表于: 2007-3-20 07:52
-
非常奇怪吧.居然EIP和断点位置相差这么大,不知道是不是撞鬼了
DWORD CALLBACK Findwmwindow(LPVOID pParam)
{
while(1)
{
Sleep(500);
CWnd* pMainWnd = AfxGetMainWnd()->GetWindow(GW_HWNDFIRST);
while (pMainWnd)
{
CString strClassName;
GetClassName(pMainWnd->m_hWnd,strClassName.GetBufferSetLength(100),100);
if(lstrcmpi(strClassName, "XXXXXX") == 0)
{
BOOL alreadyint3=FALSE;
DWORD pid;
DWORD tid;
HANDLE hThread=NULL;
CString processid;
//TerminateProcess(GetWindowThreadProcessId(pMainWnd->m_hWnd,NULL),4);
//return 1;
tid=GetWindowThreadProcessId(pMainWnd->m_hWnd,&pid);
HANDLE nOK =OpenProcess(PROCESS_ALL_ACCESS|PROCESS_TERMINATE|PROCESS_VM_OPERATION|PROCESS_VM_READ|
PROCESS_VM_WRITE,FALSE,pid);
//HANDLE hThread =OpenThread(THREAD_ALL_ACCESS,FALSE,tid);
BYTE writebyte;
DWORD nSize;
writebyte=(BYTE)0xCC;
DebugActiveProcess(pid);
//processid.Format("%u",pid);
//MessageBox(NULL,processid,NULL,NULL);
CONTEXT conText;
DEBUG_EVENT dbg = {0};
BOOL bFlags = TRUE;
while(bFlags)
{
WaitForDebugEvent(&dbg, INFINITE);
switch(dbg.dwDebugEventCode)
{
case CREATE_PROCESS_DEBUG_EVENT:
::MessageBox(NULL, _T("游戏进程创建"), _T("测试"), MB_OK);
hThread=dbg.u.CreateProcessInfo.hThread;
//WriteProcessMemory(nOK,(LPVOID)0x58A236,&writebyte,1,&nSize);
break;
//case CRATE_THREAD_EVENT:
//break;
case EXIT_PROCESS_DEBUG_EVENT:
::MessageBox(NULL, _T("游戏进程退出"), _T("测试"), MB_OK);
bFlags = FALSE;
break;
case EXCEPTION_DEBUG_EVENT: //注意
switch(dbg.u.Exception.ExceptionRecord.ExceptionCode)
{
case EXCEPTION_BREAKPOINT:
if(alreadyint3==TRUE)
{
//char* buffer;
char buffer2[40];
//buffer=buffer2;
conText.ContextFlags = CONTEXT_FULL;
//CONTEXT_FULL;
::GetThreadContext( hThread, &conText );
CString eax;
char szbuffer[30]={'\0'};
::wsprintf(
szbuffer,
"ExceptionAddress=%.8X",
dbg.u.Exception.ExceptionRecord.ExceptionAddress);
//弹出异常发生地址提示
::MessageBox(NULL,szbuffer,"BREAK――POINT",0);
CONTEXT cn;
cn.ContextFlags=CONTEXT_FULL;
::GetThreadContext(
hThread,
&cn);
::wsprintf(
szbuffer,
"IP=%.8X",
conText.Eip);
//提示异常发生线程的EIP
::MessageBox(NULL,szbuffer,"",0);
DWORD ADDD=(DWORD)::GetProcAddress(
::GetModuleHandle("USER32.dll"),
"MessageBoxA");
eax.Format("eax %.8X",conText.Eax);
::MessageBox(NULL,eax, _T("测试"), MB_OK);
eax.Format("ecx %.8X",conText.Ecx);
::MessageBox(NULL,eax, _T("测试"), MB_OK);
eax.Format("edx %.8X",conText.Edx);
::MessageBox(NULL,eax, _T("测试"), MB_OK);
eax.Format("ebx %.8X",conText.Ebx);
::MessageBox(NULL,eax, _T("测试"), MB_OK);
ReadProcessMemory(nOK,(void * )(conText.Eax),buffer2,30,&nSize);
::MessageBox(NULL,buffer2, _T("测试"), MB_OK);
//ResumeThread(dbg.u.CreateProcessInfo.hThread);
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);
}
alreadyint3=TRUE;
break;
}
break;
//ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);
//DebugActiveProcessStop(dbg.dwProcessId);
//bFlags = FALSE;
//continue;
}
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_EXCEPTION_NOT_HANDLED );
}
//::CloseHandle(GetWindowThreadProcessId(pMainWnd->m_hWnd,NULL));
//MessageBox(NULL,strClassName,NULL,NULL);
}
pMainWnd = pMainWnd->GetWindow(GW_HWNDNEXT);
}
}
return 1;
}
运行debugtest.exe和loader.exe
然后点loader.exe上的附加进程
再点debugtest.exe的创建线程.你就可以看到错误的发生了.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 ??????????
|
|
|
最初由 llydd 发布 帮我改下代码,谢谢了 例子程序在第一贴内 |
|
|
|
|
|
|
|
|
最初由 xIkUg 发布 似乎是如此,你的 ::GetThreadContext( hThread, &cn);中的hThread 是通过hThread=dbg.u.CreateProcessInfo.hThread;取得的,这是主线程句柄 而不是发生异常线程的句柄  不知是否说错
|
|
|
|
|
|
::GetThreadContext(hThread,&cn)中的hThread
是通过hThread=dbg.u.CreateProcessInfo.hThread;取得的,这是主线程句柄 而不是发生异常线程的句柄,你可以在处理EXCEPTION_DEBUG_EVENT调试事件的时候通过dbg.dwThreadId取得发生异常的线程ID,然后通过OpenThread得到线程句柄,再以该线程句柄为参数去调用GetThreadContext
|
|
|
最初由 llydd 发布 谢谢大哥,果然是这样.太爽了。完成了 |
